Rewterz Threat Alert – Chase Themed Phishing Campaign
March 8, 2019Rewterz Threat Alert – SLUB Backdoor Uses GitHub, Communicates via Slack
March 8, 2019Rewterz Threat Alert – Chase Themed Phishing Campaign
March 8, 2019Rewterz Threat Alert – SLUB Backdoor Uses GitHub, Communicates via Slack
March 8, 2019Severity
Medium
Analysis Summary
A malicious Microsoft Word document was retrieved from a campaign which contains Visual Basic for Applications (VBA) macros that download and execute a malicious payload. The payload was identified as a variant of the Emotet Banking Trojan.
Another file retrieved from a different malware campaign is a .NET executable that contains a large bitmap resource. The resource is decoded into a keylogger and two password-stealing programs. The dropped file is a text file that contains the path to the .NET executable.
Indicators of Compromise
IP(s) / Hostname(s) | 109.129.2[.]50 115.71.233[.]127 115.93.16[.]173 117.247.233[.]82 118.69.35[.]66 121.74.198[.]58 122.176.109[.]10 123.136.174[.]52 147.83.156[.]162 148.243.206[.]110 173.255.196[.]209 178.254.31[.]162 178.62.37[.]188 181.119.30[.]25 183.82.112[.]154 183.82.120[.]85 186.4.165[.]50 186.90.227[.]239 187.144.76[.]174 189.149.3[.]197 189.194.250[.]74 189.230.124[.]74 190.0.1[.]30 190.109.223[.]50 190.147.100[.]8 190.228.72[.]180 190.94.79[.]239 196.209.233[.]234 198.74.58[.]47 2.50.183[.]165 203.99.177[.]144 211.115.111[.]19 211.248.17[.]209 217.13.106[.]160 217.165.2[.]29 218.90.156[.]188 27.147.163[.]188 27.96.91[.]73 45.123.3[.]54 5.230.147[.]179 58.65.178[.]100 62.75.191[.]231 67.205.149[.]117 69.195.223[.]154 69.198.17[.]7 75.99.13[.]124 83.222.124[.]62 91.98.29[.]206 93.109.229[.]250 95.141.175[.]240 98.142.208[.]27 192.99.212[.]64 |
URLs | eirak[.]co intraelectronics[.]com kantova[.]com linkingphase[.]com motoruitjes[.]nl radwomenbusinessowners[.]com |
Filename | 833.exe US691260150692912.doc DOC-80179.doc emotet_e2_096e1cca4006f4c5cb050ba25b7f637cb498b80f3ed05895d0735ea75255823f_2019-01-16__185002.exe_ Mina.exe Windows_Update.exe |
Malware Hash (MD5/SHA1/SH256) | 8fbc86605f0a433a82e9d1a0b19c3051 096e1cca4006f4c5cb050ba25b7f637cb498b80f3ed05895d0735ea75255823f 4f034492bc4d152f98c083ba3d9a1c24b3062a2917c89551857c4d310e481c9c 13370bd1e38381613def999e97a28c08840fbf4f9178f3b31f8db76644ad5a45 |
Remediation
- Block the threat indicators at their respective controls.
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up-to-date.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
- Scan all software downloaded from the Internet prior to executing.